Fwd: NXDOMAIN Analysis
Hello everybody I am newbie to BIND DNS. I would like your help to understand a little more about the problem below, please: Problem:* Sometimes my DNS reports too many NXDOMAIN responses. Question 1*: Is there any way to identify the site/domain that is being consulted and consequently generating NXDOMAIN? Question 2:* Is there any way to identify the DNS client that is querying this non-existent website/domain? I use DNSTOP, but it doesn't have a lot of information. Many thanks to whoever helps me. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: parental-agents clause - IP address only ?
On 06-Dec-22 01:58, Erich Eckner wrote: [snip] This made me curious: Is there some design rule forbidding bind to use the system resolver to resolve names it does not know about? I.e. why does it not query any resolvers in /etc/resolv.conf (probably via some system interface - sry, I have no idea, how "normal" programs resolve names) if it encounters an unknown name at a place where only an ip address is allowed so far? That being said: I'm not saying, it *should* do so, I'm merely curious, why it does not. :-) regards, Erich See man 3 getnameinfo and gataddrinfo for the current way of resolving DNS names via the standard library. gethostbyname and gethostbyaddr are the older functions (overall less functional, harder to deal with IPv6 - but can deal with multiple names for a host). Resolving names in a resolver can be complicated. Especially when recovering from an outage - if you are the first resolver back, who do you ask? Additionally, resolving names is slow - not a big problem for configuration data, unless you are operating a really large server. (Which many named operators are...) But you don't want unnecessary resolution on live code paths. Which creates the question: if a name is in, say an ACL: does that mean "whatever the name resolved to when the server started", or "whatever the name resolves to when the ACL is used"? The latter might be expected, but performance would crater. Then there are the security issues: if someone can fool you into using their server for name resolution, they can get whatever configuration items to do what they want. So, if allow-update is supposed to be your management host, they might supply an IP address that allows them to update your DNS. Of course, there's DNSSEC - but that requires more infrastructure to be up when you boot that first server after a blackout. None are insurmountable technical problems, but it's a lot of complexity (hence room for bugs). The consensus is that it's not worth it for the return. As noted earlier in the thread, most places where IP addresses are used are fairly static. That lends itself to an external solution. (As examples, I have a root hints file from the 80s - while a couple of addresses have changed, it's still good enough today. The root DNSSEC key has only changed once. Server IP addresses change on a timescale of years - when hardware is replaced - maybe. And when a corporate merger renumbers networks. Or if you're a small operator and don't own your IP addresses, when you change ISPs.) This is also why I emphasized "TRUSTED" in selecting a suitable resolver for an external process. In any case, using "include" in configurations can help to modularize/isolate the places where IP addresses are used. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. OpenPGP_signature Description: OpenPGP digital signature -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: NXDOMAIN Analysis
The answers to both questions can probably be answered by logs
(possibly a slightly different config than my example below). Have a
look at the manual for logging:
https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-definition-and-usage
My guess is that you can gain insite to both of your questions by
printing logs at the appropriate severity.
logging {
channel primary_log {
file "/var/log/named/primary.log" versions 3 size 250k;
severity info;
print-time local;
};
category default {
primary_log;
};
};
On Tue, Dec 6, 2022 at 7:48 AM Silva Carlos wrote:
>
> Hello everybody
>
> I am newbie to BIND DNS.
>
> I would like your help to understand a little more about the problem below,
> please:
>
> ***Problem: Sometimes my DNS reports too many NXDOMAIN responses.
>
> ***Question 1: Is there any way to identify the site/domain that is being
> consulted and consequently generating NXDOMAIN?
>
> ***Question 2: Is there any way to identify the DNS client that is querying
> this non-existent website/domain?
>
> I use DNSTOP, but it doesn't have a lot of information.
>
> Many thanks to whoever helps me.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Containerizing BIND with Kubernetes
Is there any good source of documentation on containerizing an authoritative BIND instance in a Kubernetes cluster? The main part I’m trying to grasp is how to dynamically horizontally scale the cluster and keep the BIND notify process working between the containers. Thanks, Peter -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
